Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
Consent and preference management
Consent Management v2
- Admin UI guide
- Consent Management v2 APIs
Identity broker
Delegated User Management v2
Externalized authorization
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Risk management
- Essential Edition
- Enhanced Edition
Mobile identity
- Mobile identity - Access component
- Mobile identity - Tulip
Mobile SDK
API references
Release notes and FAQ
Policy-Based Authorization Manager
Integrations
Identity Orchestrator (IO)

All

All

Web SDK

CORS (Cross-Origin Resource Sharing)

Please Note:

Risk management
Essential Edition
- Default rules
- Default policies
Enhanced Edition
- Quickstart
  - Tutorial overview
  - Collecting Signals
    - Collecting signals from a mobile
    - Collecting signals from a web page
    - Android
    - iOS
  - Evaluating risk
- Guides
  - What is a policy?
  - Managing policies in the IFP console
  - Evaluate risk with auth feedback
    - Overview
    - Collecting Signals
    - Risk Evaluation
    - Authenticating
    - Authentication Feedback
  - Reporting fraudulent transactions
  - Change password or PIN
  - Ionic Mobile Integration
    - Introduction
    - Setup your environment
    - Create Cordova Plugin
      - Introduction
      - Creating the native Android part of the plug-in
      - Creating the native iOS part of the plug-in
    - Add the plug-in to the app
- REST API
  - Partners
    - Partner technologies overview
    - Thales
    - ThreatMetrix
    - Global Score
      - Description
      - Global score computation
  - Authentication and authorisation
  - Implementing Client-Side Mutual TLS Authentication
  - OpenAPI - stand alone IFP
- SDK
  - Web SDK
    - Risk Management Javascript SDK
    - CORS (Cross-Origin Resource Sharing)
    - Definitions
    - Framework v1
      - Overview
      - Signal collection For a Multi Page Website
    - Framework v2
      - Overview
      - Specification
      - Integration examples
      - Partners Integration
  - Mobile SDK
    - Introduction
    - Overview
    - Signal groups and corresponding signals
      - Overview
      - Signal group size
    - SDK variants
    - SDK compatibilities
    - Release notes
    - Security
      - Android
      - iOS
    - Integration guidelines
      - Before you start
      - Basic integration
      - Advanced use cases
      - Debug vs. Release builds
      - Removal of Zimperium and InAuth SDK
      - Error codes
      - Troubleshooting
    - Permissions
      - OIP Risk Management SDK permissions
      - Permissions required for ThreatMetrix
      - iOS Certificate Pinning For Release Configuration
    - Privacy
      - Apple app privacy
    - Other
      - Android application size reduction
      - Exporting ThreatMetrix Certificate from Browser
      - Third-party libraries
      - Frequently asked questions
      - Appendix A: Evaluation
    - Glossary
    - API reference
    - Supported plaforms

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
Risk management
Enhanced Edition
SDK
Web SDK
CORS (Cross-Origin Resource Sharing)

CORS (Cross-Origin Resource Sharing)

Adding the GAH scripts into your web page(s) sends a cross-origin HTTP request to the GAH signal-collector domain. For security reasons, browsers block cross-origin requests initiated from within scripts.

CORS request flow diagram

As a result, the POST and PATCH /signals request sent to GAH will be blocked. In order to enable this cross-origin request, GAH supports the CORS protocol:

Before the POST or PATCH /signals request is made, the browser will first send an HTTP request (OPTIONS) to the GAH domain.
The GAH backend processes this request and checks that it originates from an authorized domain (by looking at the Origin HTTP header), for example: www.your-domain.com. Altogether, this means that every domain issuing POST or PATCH /signals requests to the GAH must be declared in the product.

Note

If you are implementing a risk assessment on your login page, and this page is delegated to an identity provider, the domain name of the server hosting the identity provider should be provisioned in GAH.

On this page

OneWelcome Identity Platform

© Copyright 2019-2026, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2026, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com